Google to quit sniffing Wi-Fi data

Google's tendency to innovate first and answer privacy questions later has once again landed it in hot water.

After admitting on 5 May that its Street View camera cars had acquired the names and ID codes of our domestic Wi-Fi networks, Google now says it also recorded some of the personal data people broadcast over their wireless networks too.

The information in question, dubbed "payload data", is the actual content of a wireless transmission. That suggests Google has amassed a record of data that could include some users' web page requests or personal passwords - although the firm says the information is likely to be highly fragmented, as it was sniffed by Street View cars driving past homes and businesses.

Google says it collected Wi-Fi ID data for the good of its customers: in built-up areas, where GPS accuracy can drift, a map of local Wi-Fi hotspots can boost the accuracy of the positioning services that help smartphone users running Google Maps apps pinpoint their location.

Because Wi-Fi data is freely broadcast, Google says it did not believe it was illegal to collect it - or necessary to tell Wi-Fi network owners it was doing so. But the firm's actions have angered government data protection commissioners in Europe, as New Scientist reported.

At the time, Google claimed that consumer privacy had not been compromised because no actual Wi-Fi data traffic was recorded - a claim that now turns out to have been wrong.

"We have been mistakenly collecting samples of payload data from non-password-protected Wi-Fi networks, even though we never used that data in any Google products," admitted Alan Eustace of Google's engineering and research department in a 14 May blog post.

How did it happen? Eustace says some experimental payload data acquisition code remained in the Wi-Fi ID acquisition software used by the Street View cars. "Quite simply, it was a mistake," he says.

Critics aren't quite buying that. Pressure group Privacy International wants
to know why the payload data acquisition software was written in the first place, why it was not ruled out from the code deployed in the Street View cars and how no one noticed the "substantial" payload data files taking up storage space in the last four years.

"Google has for years penetrated private networks, apparently illegally," she says. She wants all the acquired Wi-Fi data deleted.

Privacy International thinks the issue results from a flaw in Google's culture. "This latest incident was not caused by a mistake; it was caused by a failure of process that cuts across the entire company."

Realising the gravity of the issue, Google says it will now end all Wi-Fi sniffing. "Given the concerns raised, we have decided that it's best to stop our Street View cars collecting Wi-Fi network data entirely," says Eustace.

Hardly "penetrated private networks". Their offense is akin to leaving a tape recorder running in a public library. Unencrypted WiFi broadcasts data further than you might think, so the prudent traveler will login only to secure networks, and assume that their web activities may be monitored. In Germany, laws now actually prohibit people from operating unencrypted access points.

The original purpose of Google's logging is actually very useful - it will allow your iPhone map to work inside buildings such as shopping malls, airports, train stations etc. and allow a faster GPS fix outside.

Andrew Daviel
on May 17, 2010 7:04 PM

Hardly "penetrated private networks". Their offense is akin to leaving a tape recorder running in a public library. Unencrypted WiFi broadcasts data further than you might think, so the prudent traveler will login only to secure networks, and assume that their web activities may be monitored. In Germany, laws now actually prohibit people from operating unencrypted access points.

The original purpose of Google's logging is actually very useful - it will allow your iPhone map to work inside buildings such as shopping malls, airports, train stations etc. and allow a faster GPS fix outside.

It should be obvious to European governments that the mass collection of "data payloads" in industrial, high tech and near government buildings by an American company is suspicious. The NSA/CIA have computer systems that could easily decrypt and re-assemble fragmented data. This is clearly a breach of European national security and a possible case of International commercial espionage. How are we to know that a lingering (coffe break) google camera car was in fact not a US secret service vehicle snooping on a companies data? Of course just because Google says they have stopped collecting WiFi data doesnt mean that they will. European governments should introduce laws that allow them to inspect Google camera cars and impound them if they find snooping technology on board. It is ironic that this follows indignation by Google that apparent Chinese hackers had attempted to snoop on them. Google street view should never have been allowed in Europe.

I'd really like to hear a story about Google acting out of line that isn't obviously alarmist journalism or conspiracy theory.

Alarmed and conspired
on May 17, 2010 11:55 PM

Clearly a gross invasion of privacy , for 4 years - would now think twice about buying Google products esp.in telecommunications area, and view the relevance of their privacy policy as a search engine provider with skepticism.

Tommy Payne
on May 18, 2010 9:43 AM

I love google and support them but i think they did this on purpose and some of my rewspect for them is now dead

It would be more useful, if this story were aimed to educate people about the potential risks of using unencrypted WLAN and email connections. However, journalists and politicians prefer the cheap and far less useful route here, namely to bash a well-known brandname. Better remind the world that everyone who owns a laptop and a bicycle can collect such data trivially.

It would be a big shame if as a result of this silly media outcry, such companies stopped offering their incredibly useful WLAN-based positioning service.

The alleged privacy violation claimed here seems ridiculously out of proportion. Fragments of user payload that are recorded for only the couple of seconds that the car is in range are hardly able to provide a useful picture of the user. I can't really see anyone paying money for that sort of low-quality data. Moreover, the vast majority of privately-owned WLAN access points are already encrypted today, simply because for several years this has been the default setting. You have to look a bit to find an unencrypted one, and most of these are in companies rather than at home. Many are even intentionally open, e.g. in pubs, cafes, libraries and universities, for the benefit of visitors.